i'm one of the debian developers responsible for maintaining php4/php5, and by
extension, pear. I had some questions on #pear and was suggested that i post
them here, so here goes...
currently the pear package available in debian is generated from the phar
archive included by the php5 tarball. the problem with this is it makes it
very difficult for us to modify the source code inside the phar. so, when
security issues come out (such as CVE-2007-2519), it's very difficult for us
to provide a patch for a previous release of pear.
so, i'm wondering if there's a better system that we can use to provide the
pear package, perhaps seperately from the php tarball. however, i don't see
any way to just get a plain old vanilla tarball of pear. assuming you guys
don't actually provide that, how feasible would it be for us to base a source
package off of a CVS tag? do you have your "turn CVS checkout into a phar
installer" in CVS as well? do you have any other suggestions?
 in this case it's probably not worth a patch to previous releases, but it
still brings the problem to light.